Results 1 to 3 of 3

Thread: Smitfraud removal

  1. 2007-10-16, 04:11 #1
    dirtymurph
    dirtymurph is offline
    Junior Member
    Join Date
    Oct 2007
    Posts
    1

    Default Smitfraud removal

    I have smitfraud and a few trojans I cant seem to get rid of.I ran spybot and still cant remove them.This is my smitfraud fix report.Any help would be greatly appreciated.



    SmitFraudFix v2.240

    Scan done at 20:54:27.96, Mon 10/15/2007
    Run from C:\Documents and Settings\John\Desktop\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    The filesystem type is NTFS
    Fix run in normal mode

    »»»»»»»»»»»»»»»»»»»»»»»» Process

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\spoolsv.exe
    c:\program files\mcafee.com\agent\mcdetect.exe
    c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
    C:\Program Files\McAfee.com\VSO\mcvsshld.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
    C:\Program Files\MySpace\IM\MySpaceIM.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\Program Files\BigFix\bigfix.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\RY47J1WL\jdk-6u3-windows-i586-p-iftw[1].exe
    C:\WINDOWS\system32\msiexec.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\WINDOWS\system32\MsiExec.exe
    C:\WINDOWS\system32\MsiExec.exe
    C:\WINDOWS\system32\cmd.exe

    »»»»»»»»»»»»»»»»»»»»»»»» hosts

    hosts file corrupted !

    127.0.0.1 legal-at-spybot.info
    127.0.0.1 www.legal-at-spybot.info

    »»»»»»»»»»»»»»»»»»»»»»»» C:\


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

    C:\WINDOWS\system32\ace16win.dll FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\John


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\John\Application Data


    »»»»»»»»»»»»»»»»»»»»»»»» Start Menu


    »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\John\FAVORI~1


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


    »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
    "Source"="About:Home"
    "SubscribedURL"="About:Home"
    "FriendlyName"="My Current Home Page"


    »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=""


    »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "System"=""


    »»»»»»»»»»»»»»»»»»»»»»»» Rustock



    »»»»»»»»»»»»»»»»»»»»»»»» DNS

    Description: Motorola SURFboard SB5100 USB Cable Modem - Packet Scheduler Miniport
    DNS Server Search Order: 24.116.199.232
    DNS Server Search Order: 24.116.2.34

    HKLM\SYSTEM\CCS\Services\Tcpip\..\{500C8560-CBC2-468F-97E2-D98DEED115F9}: DhcpNameServer=24.116.199.232 24.116.2.34
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{500C8560-CBC2-468F-97E2-D98DEED115F9}: DhcpNameServer=24.116.199.232 24.116.2.34
    HKLM\SYSTEM\CS2\Services\Tcpip\..\{500C8560-CBC2-468F-97E2-D98DEED115F9}: DhcpNameServer=24.116.199.232 24.116.2.34
    HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=24.116.199.232 24.116.2.34
    HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=24.116.199.232 24.116.2.34
    HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=24.116.199.232 24.116.2.34


    »»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


    »»»»»»»»»»»»»»»»»»»»»»»» End
  2. 2007-10-16, 14:34 #2
    pskelley
    pskelley is offline
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,247

    Default

    Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
    "BEFORE you POST" (READ this Procedure before Requesting Assistance)
    http://forums.spybot.info/showthread.php?t=288
    All advice given is taken at your own risk.
    Please make sure you have read this information so we are on the same page.

    http://forums.spybot.info/showthread.php?t=16806 <<< see this

    You need to take the time to read the instructions posted above and at the top of the forum.

    TeaTimer will block changes we must make, use these instructions and turn it off until we are finished:
    http://russelltexas.com/malware/teatimer.htm

    Since you have posted a Smitfraudfix report and you are infected, do this now:

    http://siri.geekstogo.com/SmitfraudFix.php <<< tutorial if needed

    Clean:
    Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
    Double-click SmitfraudFix.exe
    Select 2 and hit Enter to delete infect files.
    You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
    The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
    A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt

    Optional:
    To restore Trusted and Restricted site zone, select 3 and hit Enter.
    You will be prompted: Restore Trusted Zone ? answer Y (yes) and hit Enter to delete trusted zone.
    Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

    Restart the computer, post the C:\rapport.txt and a HijackThis log.

    Thanks
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006
  3. 2007-10-22, 18:19 #3
    tashi
    tashi is offline
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,961

    Default

    Due to lack of a response to your helper, this topic has been archived.

    If you need it re-opened, please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules